IT assets

1. Does office networks come under asset list.

Answer: If information your organization wants to protect travels through these networks, they should be included on the asset list.

2. Does router, firewall and other network components come under asset list.

Answer: The elements of a network should be considered separately in the asset list, since each one of them may be under different scenarios and risks (e.g., router and firewall in an internal network are under different risks than those facing Internet connection).

3. How to calculate the asset value?

Answer: The main approach is to define a scale (e.g., low, moderate and high, or 1, 2 and 3) and attribute to each value a meaning based on: 1) costs related to the asset (e.g., acquisition costs, maintenance costs, replacement costs, etc.); and 2) losses for the business if the asset unable to perform its functions (e.g., effort to recreate information, value of the information loss, revenue loss, et c.). For example, a low or 1 for asset value could mean costs/losses under 10k, and a high or 3 for asset value could mean costs/losses above 10M.

4. How to decide Confidentiality, Integrity and Availability value (high, medium, low)"

Answer: Generally, IT assets inherits the highest information classification between the information that are handled by them.

This article will provide you further explanation about asset list:

- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

These materials will also help you regarding information assets:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

How to assign the value to asset quantitatively on scale of Low Medium and High corresponding to Confidentiality, availability and Integrity

To assign value to an asset corresponding to confidentiality, integrity and availability, you should identify how each of these aspects of the asset influence the organization's objectives, results or operations.

It is important to note that assigning value specifically for confidentiality, integrity and availability is not required by the standard, and the most common practice is to attribute a single value for the asset, so your process do not become too much complex.

Can asset value (single subjective value high, medium, low) can be assigned on the CIA value?

Which is best formula for evaluating the asset value
Asset value = Max (CIA)
OR
Asset value = average of CIA
Asset Value = C* I *A
Asset Value = C+I+A

>Can asset value (single subjective value high, medium, low) can be assigned on the CIA value?

Answer: The asset value, in terms of business objectives, results and operations, is used to help define the CIA value, not to be directly assigned to them, since a same asset maybe have different impacts on CIA, depending upon its purpose. For example, a website intended to provide relevant public information should have an availability value greater than its confidentiality value.

>Which is best formula for evaluating the asset value
>Asset value = Max (CIA)
>OR
>Asset value = average of CIA
>Asset Value = C I A

Answer: The most practical formula to evaluate the asset value in terms of CIA is MAX (CIA), where with a single value you cover the worst case scenario for CIA. Attributing for the asset a value for each aspect of the CIA allows you to better allocate resources if there is a great difference between the values (e.g., C=3, I-1, and A=1), but it makes your asset management more complex, so you should use this method only if you can justify adding such complexity in return for better resources allocation.

You should not use average of CIA because an average value can hide a high value of one aspect of CIA, which can result in an asset with less protection than needed. For example, with C=3, I-1, and A=1, the average would be 1,67, a value well bellow the value 3 attributed to confidentiality.

This article will provide you further explanation about valuing assets:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

This materials will also help you regarding valuing assets:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/